IBM Security Verify

 View Only
  • 1.  OIDC - Userinfo endpoint

    Posted Tue January 15, 2019 07:34 AM
    Hello,

    Was wondering if someone in the forum has been working with the OIDC /userinfo endpoint regarding manipulating the output and formatting for the json object that is presented after the access token has been presented?

    We are acting as an OP and the consuming application is connecting to retrieve user attributes but this fails for the groups json array below because the escape character backslash \.

    Do anyone know if it is possible to manipulate how the json object is presented at the /userinfo endpoint?

    {
    "sub": "John",
    "employeetype": "Consultant",
    "address": "someAddress",
    "manager": "uid=John,ou=internal,ou=users,O=IBM",
    "name": "John surName",
    "groups": "[\"group1\",\"admin_group\",\"group2\",\"group3\"]",
    "given_name": "John",
    "family_name": "surName",
    "email": "mail@some.mail",
    "office": "Some city office"
    }

    Thanks.

    Best regards
    Magnus


  • 2.  RE: OIDC - Userinfo endpoint

    Posted Mon December 04, 2023 03:39 PM

    Hi Magnus,

    I'm experiencing the same behavior. 

    Have you found a solution for this? The app that consumes the userinfo endpoint expects the data to be un-escaped.

    Best regards, 

    Hernan



    ------------------------------
    Hernan Dario Arredondo Rivera
    ------------------------------



  • 3.  RE: OIDC - Userinfo endpoint

    IBM Champion
    Posted Tue December 05, 2023 03:08 AM

    Hi,

    In the mapping rule PostToken, there is a block where you can customize the response from /userinfo.

    You could try to override the "groups" claim there:

    if (request_type == "userinfo") {
          produceClaim("groups",  "['group1','admin_group','group2','group3']", true);
    }


    ------------------------------
    André Leruitte
    ------------------------------



  • 4.  RE: OIDC - Userinfo endpoint

    Posted Mon January 15, 2024 02:18 PM

    Hi Andere,

    I need to Generate Unix  Epoch time and map this epoch time to transaction id and conversation id in Headers and that Headers has to pass in access token

    can you help in achieving the same



    ------------------------------
    Hemant Kumar
    ------------------------------



  • 5.  RE: OIDC - Userinfo endpoint

    Posted Tue January 16, 2024 01:24 AM
    1. In the original example, groups are just being passed back as a JSON string. Whilst I agree that it would be better as a pure JSON array in the response, there is nothing illegal or incorrectly formatted about returning a string.  The caller of the userinfo endpoint could always do the equivalent of JSON.parse(groupStr) to get back to an array.
    2. Generating the Unix Epoch time is completely trivial. In the mapping rule Andre alluded to, just use the Javascript Date class to do this. 
    3. This part of your ask makes no sense to me at all: "map this epoch time to transaction id and conversation id in Headers and that Headers has to pass in access token". Please re-write this as a clearer use case and question.


    ------------------------------
    Shane Weeden
    IBM
    ------------------------------